Cyber Crime - The Ongoing Threat

A report authored by computer security firm Kaspersky, and reported on BBC business news today claimed that cyber bank robbers, with members spread as far as Russia, Ukraine and China, have been able to steal $1 billion from a range of banks and financial institutions since 2013. These attacks occurred in 30 different countries including Russia, United States, Germany, China, Ukraine and Canada.

The modus operandi of the gang, dubbed Carbanak, involves the use of computer viruses which permit surveillance of activities on a user's screen. This enables members of the gang to either directly transfer money from banks to their own accounts or to prime cash machines to dispense cash at a predetermined time and place.

It is reported that each attack took on average two to four months with approximately $10 million taken each time.

In 2014, the Ponemon Institute published a global report into the costs of cybercrimes based on their findings from 257 organisations across 7 countries, mainly, United States, United Kingdom, Germany, Australia, Japan, France and the Russian Federation.

The report ranked businesses in the United States as having suffered the highest total cost burden resulting from cybercrime at $12.69 million whereas Russian businesses the lowest cost burden at $3.33 million. The costs borne by United Kingdom businesses as a result of cyber crime in the sample group totalled $5.93 million. Excluding Russia, due to no historic data for comparing, these figures represent a mean cost of $7.6 million per year, a 10.4% increase from the previous year.

The study reported that the most costly crimes, accounting for greater than 55% of all cyber crime cases, originate from malicious employees, denial of service attacks which prevent intended users from accessing the website, and web based attacks.

The report indicated that the average time to resolve such attacks is approximately 31 days with an average cost to the sample group of $639,462 during that 31 day period. In addition to this, the longer an attack remained unresolved, the costlier the attack.

In the United Kingdom sample group, the distribution of cyber attacks were as follows;

Web based attacks – 15%
Denial of services – 25%
Malicious insiders – 10%
Viruses, Worms, Trojans – 8%
Malicious code – 11%
Phishing and social engineer – 5%
Malware – 6%
Stolen devices – 15%
Botnets (a network of computers infected my malicious software and controlled without users knowledge) – 6%

The above represents a major disruption to the commercial activity of businesses in terms of their ability to function and with regard to loss of information integral to the business functionality and customer security. The latter can have far reaching consequences for company executives as in the case of the Target chief executive and chairman who resigned after news broke that his company had lost payment details and other personal data belonging to 70 million customers.

As reported in the BBC news article: how cyber-cops are taken the fight to online fraudsters, two major problems following an attack are the lack of resources available to the law enforcement agencies and also the actual reluctance to report the attack for fear of knock on effects to the company's market performance and all customer confidence.

In 2011, the UK government committed £860 million of the tax payer's money over a five year period to the National Cyber Security Strategy as well as facilitating increased collaboration between the National Crime Agency, Government Communications Headquarters (GCHQ), Interpol and the newly endorsed European Cyber Crime Centre Europol which is based in The Hague is an indication of a notable shift toward an anti-prevention and enforcement to fight back against cyber crime.

Legislatively, new EU laws are soon to be enacted which will require reporting of breaches of personal data within 72 hours of this to the supervisory authority after being made aware of the breach. Other such legislation will hold companies liable up to 5% of global turnover or an upper limit of €100 million if they are negligent as to the protection of personal data.

The aim of such legislation is to force companies to spend more on security systems and preventative measures in accordance with increased spending by national and international crime agencies to combat the threat posed by cyber crimes.